CISA Adds 8 Exploited Errors to KEV, Stops April-May 2026 Federal Deadline
The Cybersecurity and Infrastructure Security Agency (CISA) of the US on Monday added two new vulnerabilities to its catalog known as Known Exploited Vulnerabilities (KEV), including three flaws affecting the Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation.
The list of vulnerable is as follows –
- CVE-2023-27351 (CVSS Score: 8.2) – An improper authentication vulnerability in PaperCut NG/MF could allow an attacker to bypass authentication of an affected installation using the SecurityRequestFilter class.
- CVE-2024-27199 (CVSS Score: 7.3) – A cross-path vulnerability in JetBrains TeamCity could allow an attacker to perform limited administrative actions.
- CVE-2025-2749 (CVSS Score: 7.2) – A path crossing vulnerability in Kentico Xperience could allow a user’s Staging synchronization server to upload inappropriate data to related destinations.
- CVE-2025-32975 (CVSS Score: 10.0) – An improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA) could allow an attacker to impersonate legitimate users without valid credentials.
- CVE-2025-48700 (CVSS Score: 6.1) – A database scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow an attacker to execute arbitrary JavaScript during a user session, leading to unauthorized access to sensitive information.
- CVE-2026-20122 (CVSS Score: 5.4) – Improper use of an API vulnerability in Cisco Catalyst SD-WAN manager that could allow an attacker to upload and overwrite unwanted files on the affected system and gain vmanage user privileges.
- CVE-2026-20128 (CVSS Score: 7.5) – Storing passwords in a vulnerable format in Cisco Catalyst SD-WAN Manager could allow an authorized local attacker to gain DCA user privileges by accessing the DCA user credentials file on the file system as a user with low privileges.
- CVE-2026-20133 (CVSS Score: 6.5) – Exposure of sensitive information to an unauthorized actor on the Cisco Catalyst SD-WAN manager that could allow remote attackers to view sensitive information on affected systems.
It is worth noting that CISA added CVE-2024-27198, another bug affecting local versions of JetBrains TeamCity, to the KEV catalog in March 2024. It is not known yet if both vulnerabilities are exploited together and if the activity is the work of a single threat actor.
The CVE-2023-27351 exploit, on the other hand, was said to have been created by Lace Tempest in April 2023 in connection with attacks that bring the Cl0p and LockBit ransomware families.
As for CVE-2025-32975, Arctic Wolf said it saw unknown actors using the bug to target unfinished SMA programs late last month, although the end goals of the campaign are unknown.
Cisco, on the other hand, also said it became aware of the CVE-2026-20122 and CVE-2026-20128 exploits in March 2026. The company has yet to update its advisory to reflect the CVE-2026-20133 internal exploit.
Due to the active exploit, agencies of the Federal Civilian Executive Branch (FCEB) were recommended to address three Cisco vulnerabilities on April 23, 2026, and another on May 4, 2026.
